On Thu 21/Mar/2019 21:21:45 +0100 Bowie Bailey wrote:
>
>>
>> At that point, the top of the header should be plenty of virus_header's (one
>> for each invocation):
>>
>> ale@pcale:~/tmp/courier/avfilter/svn/tests/testsuite.dir/09$ head eicar.mail
>> ClamAV-Found: Eicar-Test-Signature.UNOFFICIAL Eicar-Test-Signature.UNOFFICIAL
>> Old-ClamAV-Found: Eicar-Test-Signature.UNOFFICIAL
>> Eicar-Test-Signature.UNOFFICIAL
>> Old-ClamAV-Found: Eicar-Test-Signature.UNOFFICIAL
>> Eicar-Test-Signature.UNOFFICIAL
>> Eicar-Test-Signature.UNOFFICIAL
>> From: aut...@example.com
>> To: vic...@example.net
>> Subject: test message
>> Virus-Header: what does this mean?
>> MIME-Version: 1.0
>> Content-Type: multipart/mixed; boundary="=_1_1553193777_12188"
>
> And here's the problem. SecuriteInfo has their own Eicar signatures, so
> ClamAV found
> those first and not the one you were expecting. My header looks like this:
>
> ClamAV-Found: SecuriteInfo.com.Eicar-Test-Signature.UNOFFICIAL
> SecuriteInfo.com.Eicar-Test-Signature-4.UNOFFICIAL
> SecuriteInfo.com.Eicar-Test-Signature-2.UNOFFICIAL
> Eicar-Test-Signature.UNOFFICIAL
> SecuriteInfo.com.Eicar-Test-Signature.UNOFFICIAL
> SecuriteInfo.com.Eicar-Test-Signature-4.UNOFFICIAL
> SecuriteInfo.com.Eicar-Test-Signature-2.UNOFFICIAL
> Eicar-Test-Signature.UNOFFICIAL
Uh, yeah, can be. The small database is made like so:
test.ndb:
sigtool -f Eicar-Test-Signature > $@
where the argument to -f is a regular expression. So the database seems to
contain four matching signatures. Your database (like mine) probably has much
more matching signatures, such as Win.Test.EICAR_NDB-1, whose names don't match
the above regex.
> Not sure why everything is duplicated...
>
This is something we should ask to ClamAV developers. avtest.conf also
contains allmatch (since it's useful when configuring different actions for
different viruses). With --allmatch, clamscan duplicates (or triplicates)
messages too, even if the small database contains a single virus:
ale@pcale:~/tmp/courier/avfilter/svn/tests/testsuite.dir/09$ clamscan
--allmatch -d ../../small eicar.mail
eicar.mail: Eicar-Test-Signature.UNOFFICIAL FOUND
eicar.mail: Eicar-Test-Signature.UNOFFICIAL FOUND
----------- SCAN SUMMARY -----------
Known viruses: 1
Engine version: 0.101.1
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 0.007 sec (0 m 0 s)
>> And hence:
>>
>> ale@pcale:~/tmp/courier/avfilter/svn/tests/testsuite.dir/09$ egrep
>> '^ClamAV-Found: Eicar' eicar.mail | wc -l
>> 1
>>
>> Instead, at yours wc wrote "0". Why?
>>
>>> 9. testsuite.at:540: 9. per-virus behavior (testsuite.at:540): FAILED
>>> (testsuite.at:612)
>>>
>>> Suggestions?
>>>
>> I'd guess something must have gone wrong in the testsuite script. In the
>> testsuite, wc is $WC, after a definition in tests/atlocal, but egrep was not
>> checked during configure, so maybe it should have been grep -E or similar.
>> Is that the culprit?
>
> No, egrep works fine once the regex is adjusted to match the header.
Fine. I'll change that command to "egrep -i '^ClamAV-Found: .*Eicar'
eicar.mail".
Thank you for the fix.
> I guess I should have specified that I'm running this on CentOS 7, not that it
> matters at this point.
>
> Looks like everything is working now. I'll try integrating it with Courier
> tomorrow. If I just want to reject any email that is flagged by ClamAV, I
> shouldn't
> need to adjust the default config, right?
Correct, reject is the default. You probably need to set "database" to the
same directory you configured as "DatabaseDirectory" in freshclam.conf. Also,
recall that clamd.conf is not read; please see avfilter.conf(5) if you need to
set clamav options.
Best
Ale
--
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
